Online Help
14 July 2026 | 11:29 am

Most businesses think about login security in terms of passwords and MFA. Conditional Access adds a third layer that’s often overlooked: control over where a sign-in is coming from in the first place.

 

In Microsoft Entra (formerly Azure AD), Conditional Access policies let you define rules based on location, device, application, and risk signals, then automatically allow, block, or challenge a sign-in attempt that meets those conditions. The most common starting point for most businesses is location-based blocking: defining named locations using IP ranges or CIDR notation, then building policies that block sign-ins from countries your business has no legitimate reason to operate in.

 

This sounds simple, but it closes off a huge amount of opportunistic attack traffic. Many account compromise attempts come from automated tools cycling through stolen credentials at scale, often from infrastructure based in regions far from where your actual staff are working. A well-configured country-blocking policy stops those attempts before MFA is even prompted, reducing both risk and the volume of MFA fatigue-style attacks where attackers spam approval requests hoping someone taps “yes” by mistake.

 

Beyond simple country blocking, Conditional Access can layer in more nuanced rules: requiring a compliant, managed device for access to sensitive applications, requiring stronger authentication when a sign-in is flagged as risky, or blocking legacy authentication protocols entirely (these older protocols don’t support MFA and remain a common attack vector).

 

The setup itself isn’t complicated, but getting the policy logic right matters. Overly aggressive policies lock out legitimate travelling staff; overly permissive ones leave gaps. It’s worth testing policies in report-only mode first, reviewing the sign-in logs to see what would have been blocked, before switching enforcement on.

 

If your business hasn’t reviewed its Conditional Access setup recently, or doesn’t have one at all, it’s one of the highest-impact, lowest-disruption changes you can make to your security posture. Get in touch if you’d like us to review your current setup or help you build one from scratch.